Tuesday, June 2, 2009

Botnet. Securing the new version of Zeus

A few days ago a new version of Zeus (also known as Zbot, wsnpoem, Ntos or Prg) is around for the big cloud. This new version incorporates several features which emphasizes the possibility of spreading the threat of an exploit vector of infection is most commonly used as e-mail.

But perhaps the most interesting is in making its structure through the incorporation of a new security layer implemented during the authentication process to its panel of administration and control.

The authentication process in previous versions, is composed of three fields: the user name, password and another that provides the language with which it's displayed crimeware, offering two options: English and Russian (the latter, the native tongue of the creator of the package).

The new version not only has the authentication options above but adds a new field that offers greater security against attempts to "cracking the password".

The incorporation of this new change isn't unique. It has also optimized the code Zeus and slightly modified the display of its different modules, the structure being setup as follows:
  • /install > folder where the installer is housed
  • /system > folder that hosts the file system
  • /theme > design to be displayed with the Zeus
  • cp.php > control panel
  • gate.php > backdoreo of the bot
  • index.php > prevents the file list
  • /system/config.php > configuration file
  • /system/fsarc.php > script that calls an external file
The appearance of previous versions of the panel installation, as seen in the catch, has five sections: Root login, MySQL server, MySQL tables, Paths and Local Options.

The new version optimized features four sections: Root user (authentication data equivalent to Root login), MySQL server (login information to the database), Local folders (log file on the actions of Zeus) and Options (which incorporates the default encryption option).

Another thing "interesting" that incorporates this package is a module that lets you add scripts.

This implies a scope much broader, since it's possible to add the quantity and variety of the script botmaster want.

As we can see, the crimeware continues to evolve through malicious applications, and Zeus is a true test where "professionalism" of cyber criminals engaged in the business to keep dark representing malware continues to escalate positions within the criminal market.

Related Information
ZeuS Carding World Template. Jugando a cambiar la cara de la botnet
Entidades financieras en la mira de la botnet Zeus. Segunda parte
Entidades financieras en la mira de la botnet Zeus. Primera parte
Zeus Botnet. Masiva propagaciĆ³n de su troyano. Segunda parte
Zeus Botnet. Masiva propagaciĆ³n de su troyano. Primera parte
LuckySploit, la mano derecha de Zeus

# Jorge Mieres


KG said...

Nice presentation of information with screen-shots.


Anonymous said...

hey, thanks for the info)
i was wondering where do u get those new ver. of zeus ???)